The Weakest Link In Your Cyber Defenses? Your Own Employees

For businesses trying to shore up their cyber defenses against external threats, it may be counterintuitive to focus on their own people. But careless or unaware employees are now the most likely source of a cyberattack, according to EY’s 19th Global Information Security Survey 2016-17.

The survey, which polled 1,735 global executives, information security managers and IT leaders, found that careless employees are the most likely source of a cyberattack (named by 74 percent of respondents), followed by criminal syndicates (56 percent), malicious employees (52 percent) and hacktivists (46 percent).

iStock

To reduce the frequency and severity of a cyberattack, employees must appreciate their susceptibility to phishing tactics, and the financial, operational and brand impact they impose on employers.

“People are just a very large attack surface,” said Anna Aquilina, director of EY’s EMEIA Cybersecurity Centre of Excellence. “Whether it’s a nation-state, a hacker or an organized criminal network, they will look for ways ‘in’ through people.” Attackers’ methods range from highly sophisticated tactics that target a particular executive, to sending random emails to employees to see who clicks on them. In between is a growing array of inventive phishing and ransomware attacks, all intended to gain access to valuable company data and systems.

Many Possible Prizes

Cybercriminal objectives are wide-ranging. According to Aquilina, they include:

Theft of intellectual property about a planned merger, acquisition or divestiture, or about a developing product

Access to employees’ and others’ personally identifiable information, including protected healthcare information that can fetch a high price in criminal forums

Access to compromising information about a top executive for use in blackmail

Encryption of a company’s files until a ransom is paid to decrypt the data

Shutting down a vital utility, such as a regional electric grid, to cause public havoc

The “threat surface” and likely targets will depend on the particular value the organization has for the attacker, Aquilina said. “It’s all about what you have that they want.”

To get their hands on the prize, sophisticated attackers may paint a detailed portrait of the target company’s vulnerabilities, collecting relevant information about employees from public sources such as social media or other websites. Based on an analysis of the vulnerabilities, attackers may determine the optimal phishing strategy.

“They decide who has access to what they want and how best to get it,” Aquilina said. “It could be an executive, a member of a technical support team, a contractor or a supplier.”

Reducing Vulnerabilities

To reduce the frequency and severity of a cyberattack, employees must appreciate their susceptibility to phishing tactics, and the financial, operational and brand impact they impose on employers.

“Since cybersecurity is relevant to a company’s strategy, make it relevant to employees to encourage changes in behavior,” Aquilina said.

In-depth training of employees regarding routine and newer types of phishing is highly advisable. So is the crafting of clear cybersecurity policies that are strictly enforced. Rules should have sharp teeth where necessary.

If an employee violates a rule, Aquilina recommends that the person be required to attend additional training sessions. “Ideally, incentives should be used to encourage good behavior, she said. “But if an employee is found to have been susceptible to two security breaches, especially if they work in a sensitive or critical area, the person’s bonus could be canceled or significantly reduced or their security clearance revoked.”

Aside from such punitive measures, employees should understand that cyber-risk awareness is also important in their personal use of technology, given the positive outcomes. Said Aquilina: “If they’re careful in their personal lives, they’re more likely to be careful in their work lives.”

Russ Banham is a Pulitzer-nominated business journalist and author of 24 books, including his newest, “Higher,” a history of The Boeing Company.